Lucene search

[email protected]NVD:CVE-2024-6033

HistoryJul 17, 2024 - 7:15 a.m.

CVE-2024-6033

2024-07-1707:15:03

CWE-862

[email protected]

web.nvd.nist.gov

eventin plugin

wordpress

unauthorized data importation

import_file

capability check

cve-2024-6033

authenticated attackers

contributor-level access

events

speakers

schedules

attendee data

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

21.5%

JSON

The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized data importation due to a missing capability check on the ‘import_file’ function in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to import events, speakers, schedules and attendee data.

Affected configurations

Nvd

Node

themewintereventinRange<4.0.5wordpress

VendorProductVersionCPE
themewintereventin*cpe:2.3:a:themewinter:eventin:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
themewinter	eventin	*	cpe:2.3:a:themewinter:eventin::::::wordpress::*

References

plugins.trac.wordpress.org/browser/wp-event-solution/trunk/core/admin/hooks.php#L135

plugins.trac.wordpress.org/changeset/3117477/

www.wordfence.com/threat-intel/vulnerabilities/id/1725c7f3-2fac-4714-a63e-6c43694483fc?source=cve

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

21.5%

JSON

Related for NVD:CVE-2024-6033

cvelist1 vulnrichment1 cve1 wordfence1